For binary see here -> Thanks again to Xylitol (french electro is #1)
So let's sum up a bit:
Dropper
Information:
The dropper creates an invisible Window and makes use of a Windows message (WM_TIMER) to load the callback function of the WNDCLASSEX strcuture. The callback function is responsible for loading the driver... More analysis and understanding is needed... More to come...
Driver
Information:
The HTML file contains base64(?) encoded data. More analysis is needed...
The driver also requests the robots.txt file from server 91.228.152.134 (Port 80) as follows: http://91.228.152.134/robots.txt
Purpose yet unknown. More analysis is needed...
Thereafter the driver creates the following folder: C:\WINDOWS\Installer\{9E4856BE-A4A7-634B-EF2C-389F88534236} (hidden by default)
In this folder a file is created as follows: C:\WINDOWS\Installer\{9E4856BE-A4A7-634B-EF2C-389F88534236}\67f792f70364c6b1a
Any operation from usermode (copy, delete, ...) is blocked and ends up in a error message.
The file contains some encrypted/formatted data.
Results so far
The purpose of this malware is yet unknown. It seems like the malware uses the driver just to operate entirely from kernelmode and doesn't hook any functions. But these are just assumptions...
Since my kernelmode skills are very limited, I hope someone analyzes the driver more in deep.
Conclusion so far
There are other samples of this malware which date back to at least february 2012, so the threat is some kind of new and still in active development.
See: http://threatexpert.com/reports.aspx?fi ... 5&x=2&y=14
So let's sum up a bit:
Dropper
Information:
- Time Date Stamp: 2012/05/15 10:58:31 UTC
- File Size: 81.920 Bytes
- PEiD: Microsoft Visual C++ 6.0 -> but no Microsoft Rich Header (!?)
- Sections: .text, .rsrc
- Resource Section: contains a Bitmap (FRAME0, ..., FRAME5) which actually is an encrypted kernel driver
The dropper creates an invisible Window and makes use of a Windows message (WM_TIMER) to load the callback function of the WNDCLASSEX strcuture. The callback function is responsible for loading the driver... More analysis and understanding is needed... More to come...
Driver
Information:
- Time Date Stamp: 2012/05/15 10:26:20 UTC
- File Size: 40.448 Bytes
The HTML file contains base64(?) encoded data. More analysis is needed...
The driver also requests the robots.txt file from server 91.228.152.134 (Port 80) as follows: http://91.228.152.134/robots.txt
Purpose yet unknown. More analysis is needed...
Thereafter the driver creates the following folder: C:\WINDOWS\Installer\{9E4856BE-A4A7-634B-EF2C-389F88534236} (hidden by default)
In this folder a file is created as follows: C:\WINDOWS\Installer\{9E4856BE-A4A7-634B-EF2C-389F88534236}\67f792f70364c6b1a
Any operation from usermode (copy, delete, ...) is blocked and ends up in a error message.
The file contains some encrypted/formatted data.
Results so far
The purpose of this malware is yet unknown. It seems like the malware uses the driver just to operate entirely from kernelmode and doesn't hook any functions. But these are just assumptions...
Since my kernelmode skills are very limited, I hope someone analyzes the driver more in deep.
Conclusion so far
There are other samples of this malware which date back to at least february 2012, so the threat is some kind of new and still in active development.
See: http://threatexpert.com/reports.aspx?fi ... 5&x=2&y=14
Malware Reversing
http://www.malware-reversing.com
http://www.malware-reversing.com
